tricare health insurance portability accountability act hipaa project l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project PowerPoint Presentation
Download Presentation
TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

Loading in 2 Seconds...

play fullscreen
1 / 38

TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project - PowerPoint PPT Presentation


  • 159 Views
  • Uploaded on

TRICARE Management Activity. HEALTH AFFAIRS. TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project. HIPAA Privacy - Briefing for Line Leadership. TMA HIPAA Office October 2002. Objectives. Provide a general overview of the HIPAA legislation

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project' - duy


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
tricare health insurance portability accountability act hipaa project

TRICARE

Management

Activity

HEALTH AFFAIRS

TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project

HIPAA

Privacy -

Briefing for Line Leadership

TMA HIPAA Office

October 2002

objectives
Objectives
  • Provide a general overview of the HIPAA legislation
  • Describe the HIPAA Privacy Rule and related concepts
  • Provide examples that translate the DoD Health Information Privacy Regulation into everyday policies and procedures
  • Describe TMA HIPAA implementation activities
  • Outline MTF responsibilities
  • Explain the role of Service Representatives and provide contact information
hipaa legislation
HIPAA Legislation
  • Improve portability & continuity of health insurance coverage
  • Improve access to long-term care services and coverage
  • Simplify the administration of health care

Compliance within two years of effective dates of final rules

hipaa legislation cont d
HIPAA Legislation (cont’d)

HIPAA under PL 104-191 requires compliance with several standards, including:

  • Standards for Electronic Transactions and Code Sets
  • Privacy
  • Security Standards
    • Electronic Signature Standards
    • National Standard Employer Identifier
    • National Standard Health Care Provider Identifier
    • National Standard Health Plan Identifier
mhs roles and responsibilities
MHS Roles and Responsibilities
  • HA – Establish/Maintain Policy and Oversight Responsibilities
  • TMA – Integrate Policy into MHS Implementation Plan
    • Primary for TRICARE Contract HIPAA Impacts
    • Primary for Transactions & Code Sets
    • Secondary for Direct Care System HIPAA Impacts
  • Services/MTFs – Actual Implementation of HIPAA Requirements within Direct Care System
  • Lead Agents
    • Oversee Implementation of HIPAA Rules for Contracted Networks in their Region
    • Maintain a “Foot in Both Camps” to Ensure Regional HIPAA Compliance
components of the privacy rule
Components of the Privacy Rule

Final Rule Published: August 2002

Rule Effective: April 14, 2001

Compliance Date: April 14, 2003

  • Consumer control = Rights for individual patient
  • Boundaries on use and release
  • Ensuring security
  • Accountability and penalties
  • Balancing public responsibility with protections
  • Preserving strong state laws
preemption of state law
Preemption of State Law

The DoD HIPAA Privacy regulation preempts state law except:

  • When disclosing PHI about a minor to a parent, guardian, or person acting in loco parentis of such minor. In this case the laws of the state where treatment is provided applies.
  • When DoD rules, procedures, or other applicable policy call for DoD components to follow state law with respect to the matter.
acronyms definitions
Acronyms & Definitions

IIHI - Individually Identifiable Health Information

PHI - Protected Health Information

TPO - Treatment, Payment and Healthcare Operations

Treatment - provision, coordination, consultation and referral

Payment - billing, reimbursement, eligibility, utilization review

Healthcare Operations - QA, credentialing, legal, medical review, auditing, and regular business and management

Use - Internal utilization or sharing IIHI

Disclosure - External release of IIHI

who what is covered
Who & What is Covered?

Who? Covered entities (CEs)

  • Health care providers who transmit health information in (standard) electronic transactions
  • Health Plans, e.g., TRICARE
  • Health care clearinghouses, e.g., companies that perform electronic billing on behalf of MTFs
  • Our business associates, e.g., managed care support contractors, are not CEs. However, we must contractually bind them to the same standards.

What? Protected Health Information (PHI)

  • Individually identifiable health information including demographics, in electronic, paper or oral medium
  • Held by covered entities or their business associates
patient rights

Patient Rights

Patients have a right to:

A written notice of information practices from health plans and providers

Request to access, inspect and obtain a copy of their protected health information

Request an accounting of disclosures

Request amendment or correction of their records

Request restrictions on uses and disclosures (authorizations)

Accommodation of reasonable communications requests

Complain to the covered entity and to HHS

notice of privacy practices
Notice of Privacy Practices
  • Includes:
    • Uses and disclosure of PHI for TPO
    • Individual’s rights to access, control and request restrictions on use
    • Covered entities’ duties
    • Complaints procedures
    • Contact information
    • Effective date
notice of privacy practices12

Notice of Privacy Practices

MHS-wide notice developed

Release to MTFs in December 2002

Distribution to beneficiaries

Mail to home addresses

TRICARE & MTF websites

Retiree organizations

Centralized electronic tracking of acknowledgement

minimum necessary
Minimum Necessary
  • “Role-based” access limits
      • categorize users by their “need to know” profile and align with IT systems
  • Limit requests for disclosure from other entities to the minimum needed.
  • May rely on judgment of requestor if:
      • public official for permitted disclosure
      • covered entity
      • professional within covered entity
      • business associate for provision of professional service for covered entity
      • researcher with Institutional Review Board documentation
permitted uses disclosures
Permitted Uses & Disclosures

For the permitted uses and disclosures listed below, a patient’s opportunity to agree or object is not required.

  • as required by law
  • avert serious threats to health or safety
  • specialized government functions
  • judicial and administrative proceedings
  • law enforcement purposes
  • cadaver organ, eye or tissue donation purposes
  • victims of abuse, neglect or domestic violence
  • inmates in correctional institutions or in custody
  • workers’ compensation
  • research purposes
  • public health activities
  • health oversight activities
  • about decedents
permitted use required by law
Permitted Use: Required By Law

A covered entity may use or disclose PHI to the extent that such use/disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.

permitted use avert serious threats
Permitted Use: Avert Serious Threats
  • A covered entity may use or disclose PHI if:
    • The covered entity in good faith believes the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, to identify or apprehend an individual who has made a statement admitting participation in a violent crime;
    • The disclosure is made to a person(s) reasonably able to prevent or lessen the threat; AND
    • The disclosure is consistent with applicable law and standards of ethical conduct.
permitted use avert serious threats cont d
Permitted Use: Avert Serious Threats (cont’d)
  • Exception: Disclosure may not be made if the covered entity learns the information in the course of treatment, counseling, or therapy to affect the propensity to commit the criminal conduct that is the basis for the disclosure or through a request by the individual to initiate or to be referred for such treatment, counseling, or therapy
  • Limitation: Disclosure is limited to the following information:
    • name and address
    • date and place of birth
    • social security number
    • ABO blood type and Rh factor
    • type of injury
    • date and time of treatment
    • date and time of death, if applicable
    • description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair, scars, and tattoos
permitted use specialized government functions
Permitted Use: Specialized Government Functions
  • PHI may be used or disclosed:
    • For individual who are Armed Forces personnel for activities military command authorities have deemed to be necessary to assure the proper execution of the military ;
    • A U.S. Department of Defense or Transportation covered entity may disclose to the Department of Veterans Affairs (DVA) the PHI of an Armed Forces member upon the member’s separation or discharge from service for the purpose of determining eligibility for federal veterans’ benefits;
    • A DVA covered entity may use and disclose PHI within the DVA to determine eligibility for or provide veterans’ benefits;
    • To authorized federal officials for the conduct of lawful intelligence, counterintelligence, or other national security activities authorized by the National Security Act;
permitted use specialized government functions cont d
Permitted Use: Specialized Government Functions (cont’d)
  • To authorized federal officials for the provision of protective services to the President and other persons under protection of the Secret Service and related federal entities or for the conduct of investigations into threats;
  • To the Department of State to make medical suitability determinations and may disclose whether an individual was found to be medically suitable to Department of State officials who need the information for the purpose of 1) a required security clearance; 2) determine worldwide availability or availability for mandatory service abroad under the Foreign Service Act; OR 3) for a family member to accompany a Foreign Service member abroad;
permitted use specialized government functions cont d20
Permitted Use: Specialized Government Functions (cont’d)
  • By a health plan that is a government program providing public benefits may disclose PHI relating to eligibility for or enrollment in the health plan to another agency administering a government program providing public benefits if a statute or regulation authorizes 1) the sharing of eligibility or enrollment information among agencies, or 2) the maintenance of eligibility or enrollment information in a single or combined data system accessible to all agencies;
  • By a covered entity that is a government agency administering a government program providing public benefits may disclose PHI relating to the program to another covered entity that is also a government agency administering a government program providing public benefits, provided 1) the programs serve the same/similar populations, and 2) disclosure of PHI is necessary to coordinate the covered functions or to improve administration and management relating to the programs’ covered functions.
permitted use judicial and administrative proceedings
Permitted Use: Judicial and Administrative Proceedings
  • PHI may be disclosed:
    • In response to a court order or administrative tribunal, provided that the covered entity discloses only the PHI authorized by the order;
    • In response to a subpoena, discovery request, or other lawful process, in the absence of a court order, provided one of the following circumstances applies:
      • satisfactory assurance is received from the party seeking the PHI that reasonable efforts have been made to ensure that the individual who is the subject of the PHI has been given notice of the request; OR
      • satisfactory assurance is received from the party seeking the PHI that reasonable efforts have been made to secure a qualified protective order
      • as an alternative to either of the above, the covered entity may itself give written notice to the individual or seek a qualified protective order that meet the rule’s requirements
permitted use law enforcement proceedings
Permitted Use: Law Enforcement Proceedings
  • PHI may be disclosed to a law enforcement official:
    • When required by law, including to report certain types of wounds or other physical injuries (excludes laws pertaining to the reporting of child abuse or neglect or other victims of abuse, neglect, or domestic violence);
    • In compliance with a court order or by a court-ordered warrant, or a subpoena or summons issued by a judicial officer;
    • In compliance with a grand jury subpoena;
    • In compliance with an administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that:
permitted use law enforcement proceedings cont d
Permitted Use: Law Enforcement Proceedings (cont’d)
    • the information sought is relevant and material to a legitimate law enforcement inquiry;
    • the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought;
    • De-identified information could not reasonably be used.
  • To identify or locate a suspect, fugitive, material witness, or missing person, limited to the types of information listed on page 17;
  • If the covered entity believes in good faith that the PHI constitutes evidence of criminal conduct that occurred on the covered entity’s premises;
permitted use law enforcement proceedings cont d24
Permitted Use: Law Enforcement Proceedings (cont’d)
  • About an individual who is or is suspected to be a victim of a crime if a law enforcement official requests the information and either the individual agrees to the disclosure or, in the event the individual is unable to give consent due to incapacitation or some other emergency circumstance, the law enforcement official represents that 1) the information is needed to determine whether a violation by law has occurred and the information will not be used against the victim; 2) immediate law enforcement activity would be materially and adversely affected by waiting for the individual to agree to the disclosure; AND 3) the covered entity, in the exercise of professional judgment, determines that the disclosure is in the best interest of the individual;
  • In response to a medical emergency, other than an emergency on the provider’s own premises, if the disclosure appears necessary to alert law enforcement to the commission and nature of a crime; the location of the crime or of its victims; and the identity, description, and location of the perpetrator.
permitted use victims of abuse neglect or violence
Permitted Use: Victims of Abuse, Neglect, or Violence
  • PHI may be disclosed about an individual believed to be the victim of abuse, neglect or domestic violence to a government authority authorized by law to receive reports of abuse, neglect, or domestic violence. This section does not to apply to reporting of child abuse or neglect, which is covered above.
  • Conditions of Disclosure:
    • the individual must agree to the disclosure; OR
    • the covered entity, in the exercise of professional judgment, must determine that the disclosure is necessary to prevent serious harm to the individual or other potential victims OR
    • if the individual is unable to agree due to incapacity, the authorized government authority receiving the PHI must represent that the PHI will not be used against the individual and that an immediate enforcement activity that depends upon the disclosure would be adversely and materially affected by waiting for the individual to agree to the disclosure
permitted use victims of abuse neglect or violence cont d
Permitted Use: Victims of Abuse, Neglect, or Violence (Cont’d)
  • Informing the individual: the covered entity must promptly inform the individual of a disclosure as permitted above, except when:
    • the covered entity believes that informing the individual would place the individual at risk of serious harm, OR
    • the covered entity would be informing a personal representative who is believed to be responsible for the abuse, neglect, or other injury, and informing the personal representative would therefore not be in the best interest of the individual.
permitted use workers compensation
Permitted Use: Workers’ Compensation

PHI may be disclosed to the extent necessary to comply with workers’ compensation laws or other similar laws that provide benefits for work-related injuries or illness without regard to fault.

permitted use inmates in correctional institutions
Permitted Use: Inmates in Correctional Institutions
  • PHI may be disclosed about an inmate or other person in lawful custody to a correctional institution, if the PHI is necessary for:
    • the provision of health care to the individual;
    • the health and safety of the individual or other inmates;
    • the health and safety of the officers, employees, or others at the correctional institution;
    • the health and safety of the individual and officers or other persons responsible for transporting inmates or for their transfer from one facility or setting to another;
    • law enforcement on the premises of the correctional institution;
    • the administration and maintenance of the safety, security, and good order of the correctional institution
permitted use about decedents
Permitted Use: About Decedents
  • PHI may be disclosed:
    • To a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law.
      • Any official of the DoD authorized to perform functions under the authority of the Armed Forces Medical Examiner system under DoD Directive 5154.24 is a medical examiner.
    • To funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent.
permitted use public health activities
Permitted Use: Public Health Activities
  • PHI may be disclosed:
    • To a public health authority for the purpose of preventing/controlling disease, injury or disability, including but not limited to the reporting of disease, injury, vital events (i.e., birth, death), and the conduct of public health surveillance, investigations, and interventions;
    • To a public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect;
    • To a person subject to the jurisdiction of the Food and Drug Administration (FDA), with respect to an FDA-regulated product or activity for which that person has responsibility. The purposes of such disclosure include:
permitted use public health activities cont d
Permitted Use: Public Health Activities (cont’d)
    • To collect or report adverse events, product defects or problems, or biological product deviations
    • To track FDA-regulated products
    • To enable product recalls, repairs, replacement, or “lookback”
    • To conduct post-marketing surveillance
  • To a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, provided the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation;
permitted use public health activities cont d32
Permitted Use: Public Health Activities (cont’d)
  • To an employer about an individual who is a member of the workforce of the employer, provided:
    • The covered entity is a health care provider who is a member of the employer’s workforce or who provides health care to the individual at the request of the employer to conduct an evaluation relating to medical surveillance of the workplace or to evaluate whether the individual has a work-related illness or injury
    • The PHI disclosed consists of findings concerning a work-related illness or injury or a workplace-related medical surveillance
    • The employer needs the findings in order to comply with its obligations under the regulations of the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration, or under state law, AND
    • The covered health care provider provides written notice to the individual that the PHI relating to the medical surveillance of the workplace and work-related illnesses/injuries is disclosed to the employer by giving a copy of the notice to the individual at the time the health care is provided or by posting the notice in a prominent place at the location where the health care is provided.
business associates

Business Associates

Definition: “A person or entity who provides certain functions, activities, or services for or to a covered entity, involving the use and/or disclosure of protected health information.”

Cannot be a member of the health care provider, health plan, or other covered entity's workforce.

Can be a health care provider, health plan, or another covered entity

Excludes covered entities who disclose protected health information to providers for treatment purposes

ba contracts required terms
BA Contracts—Required Terms
  • Use and disclose PHI only as authorized in the contract
    • No further uses and disclosures
    • Such uses and disclosures may not exceed what the covered entity may do under HIPAA
  • Implement appropriate privacy and security safeguards
  • Report unauthorized disclosures to covered entity
  • Meet all patient rights provisions
    • Make available PHI under access, amendment and accounting of disclosures rights
    • Incorporate any amendments to PHI
managing business associates

Managing Business Associates

MHS/MTFs must obtain “satisfactory assurance” that business associates will reasonably safeguard disclosed information and only use the information for the purposes for which the business associate was engaged.

Memorandums of Understanding (MOUs)

Dept of Veterans Affairs

Dept of Transportation/Coast Guard

DoD Medical Privacy Regulation

Contract addendum/amendment

MCSC contract modification

MHS/MTFs are not required to monitor or oversee the means by which their business associates carry out privacy safeguards. However, if a material violation of the contract is discovered, the violation must be cured or the contract terminated.

mtf requirements
MTF Requirements
  • Designate a Privacy Officer
  • Train workforce to protect privacy
  • Assess compliance using TMA tool
  • Review DoD Health Information Privacy Regulation
    • Map protected health information flow
    • Conduct gap analysis & adjust policies/procedures
    • Introduce Notice of Privacy Practices
    • Institute authorization form
    • Establish patient privacy complaint and inquiry procedure
  • Identify and brief responsibilities of communities of interest
mtf privacy officer
MTF Privacy Officer
  • Oversee activities related to compliance with the HIPAA Privacy Rule
  • Establish procedures to track access, use and disclosure of PHI
  • Ensure adherence to MHS policies and procedures at MTF level
  • Train workforce
  • Monitor business associate agreements related to privacy concerns
  • Investigate patient complaints regarding privacy infractions
resources

Resources

www.tricare.osd.mil/hipaa

hipaamail@tma.osd.mil

MTF Information Papers

Beneficiary Pamphlet

MTF Posters

Authorization form template

Updated PO training materials (CD content)